Jonathan Stanton1Spring 2004 / Lecture 5Network IICS 184Wireless (In)Security -- WEPDepartment of Computer ScienceGeorge Washington UniversityJonathan Stanton2Spring 2004 / Lecture 5• Intercepting Mobile Communications: The Insecurityof 802.11 by Nikita Borisov, Ian Goldberg, andDavid Wagner.– Published in Seventh Annual International Conference onMobile Computing and Networking, 2001.• Wireless LAN Security: A Short History– http://www.oreillynet.com/pub/a/wireless/2002/04/19/security.htmlAdditional ResourcesJonathan Stanton3Spring 2004 / Lecture 5802.11 Wireless Security• Wireless LAN networks are commonly built with the802.11 protocol suite (802.11a,b,g,X)Specifies standard networking functions over radio waves– Transparent layer for upper network protocols (IP, TCP, NovellNetWare, …)• Implements wireless networks (WLAN)• Integrates seamlessly into a LAN• Works on any platform, given drivers– Fast: up to 11Mbit/s (802.11b) or 54Mbit/s (802.11a, g)• Ethernet is 10Mbit/s, fast Ethernet 100Mbit/s• Range about 30m/100feet– Widely deployed• PCMCIA cards, built into Apple laptops, embedded solutionsJonathan Stanton4Spring 2004 / Lecture 5Infrastructure Mode• Access points connect to wired network• Multiple mobile stations per AP– Full internet connection for mobile users• University campus• Coffee shops• airport lounges, …Wired networkAccess Point(AP)MobilestationJonathan Stanton5Spring 2004 / Lecture 5Data TransmissionFor both LANs and WLANs• Communication broken into frames– Variable length (up to ~ 1,500 byte)• Header associated with frame– Source address– Destination address– Frame length, …• Packet = header + frameJonathan Stanton6Spring 2004 / Lecture 5Subverting CommunicationWLAN• Eavesdropping– Hardware widely sold– Proximity of source• Parking lot attack• Injecting traffic– Just send to network– May need to modify driver setup• Removing traffic– Scramble radio signalLAN• Eavesdropping– Plug in laptop– Need access to wire• Hardly unnoticeable• Injecting traffic– Just send to network– May need to modify driver setup• Removing traffic– FeasibleJonathan Stanton7Spring 2004 / Lecture 5WEP – Wired Equivalent PrivacySecurity mechanism for WLANs• 2 subsystems– Station authentication• Simulate wired access control– Data encapsulation• Create privacy of wired network• Part of 802.11 standardJonathan Stanton8Spring 2004 / Lecture 5WEP Authentication“Hi, it’s me”nn ⊕ RC4(k)k distributed out of band• S and AP share key k• 802.11 standard: 40 bit• Most vendors now offer 104 bits (advertised as 128 bit!)• n is randomly generated nonce• S is accepted only if last message decrypts to nSAPJonathan Stanton9Spring 2004 / Lecture 5Data EncapsulationA wants to send frame m to B• Encapsulation (A)– Compute CRC-32 integrity checksum cm of m• Public algorithm, does not depend on k– Compute keystream RC4(k,v)• RC4 is secure keystream function (proprietary RSA)• v is 24 bit initialization vector (IV)– Broadcast v,x = v, ((m cm) ⊕ RC4(k,v))• Decapsulation (B)– x ⊕ RC4(k,v)) = m cmJonathan Stanton10Spring 2004 / Lecture 5… Pictorially• Checksum guarantees data integrity•IV– Prevents reuse of keystream• WEP does not prescribe modification of IVs– Sent with each packetm CRCmcmRC4(k,v)v(m cm) ⊕ RC4(k,v)Standard: 40bitEnhanced: 104 bit24 bits24 bitsJonathan Stanton11Spring 2004 / Lecture 5WEP Security Goals• Confidentiality– Prevent eavesdropping• Access control– Prevent unauthorized access• Integrity– Prevent tempering with messagesWEP does not achieve any of them!Jonathan Stanton12Spring 2004 / Lecture 5Keystream ReuseWEP collision–If x1 = ((m1 cm1) ⊕ RC4(k,v))and x2 = ((m2 cm2) ⊕ RC4(k,v))–Then x1 ⊕ x2 = (m1 cm1) ⊕ (m2 cm2)• Independent from key length!• Recognizing collisions• k changes very seldom, if ever• Generally, all stations use same k• v sent in clear with every packet– Look for packets with the same IVJonathan Stanton13Spring 2004 / Lecture 5Likelihood of Keystream Reuse• Ideal case– By birthday paradox• 50% chances of collision after ~5000 packets• < 4 minutes at 5Mbit/s (packets of 1500 bytes)• In practice, IVs are poorly generated– Many PCMCIA cards• IV=0 when inserted• incremented by 1 at each packet– Few thousand IVs determine most traffic• 802.11 does not require changing IVGiven r1, … rn ∈ [0, 1, …, B]If n ≥ 1.2√B,then Prob[∃ i ≠ j : ri = rj] > 0.5Jonathan Stanton14Spring 2004 / Lecture 5Attacks• Passive attacks– Exploit message redundancy• Many fields of IP header are predictable• Login sequences (e.g. Password: )• Transfer of shared libraries, …• Active attacks– Send spam to mobile host– Have mobile host send you email, …• Dumb attacks– Some APs send frames unencrypted alsoIf x1 = ((m1 cm1) ⊕ RC4(k,v))and x2 = ((m2 cm2) ⊕ RC4(k,v))then x1 ⊕ x2 = (m1 cm1) ⊕ (m2 cm2)Jonathan Stanton15Spring 2004 / Lecture 5Decryption Dictionaries• Once packet is revealed, keystream is known• Build table of intercepted keystreams– Maps every v to RC4(k,v))– Requires ~24Gb for 224 for 1,500 byte frames– Less than 1Gb with PCMCIA IV generation• Then, one can decrypt all trafficJonathan Stanton16Spring 2004 / Lecture 5Key Management• 802.11 does not specify how to– Generate– Distribute– Update shared key (and how often)• In practice– Key is loaded in device by hand when set up• Often keep manufacturer’s default– Never updated again– Attacker has years to compromise key• A few hours are enough for 40 bit versionJonathan Stanton17Spring 2004 / Lecture 5Restoring Confidentiality• IV is too short– Collisions frequency reduced with longer IVs– Relatively small decryption dictionary• IV update unspecified (and non required)– Force collision resistant IV generation– From keyed random number generator• Key management inexistent– Introduce mandatory key update protocol– Force different key for each hostJonathan Stanton18Spring 2004 / Lecture 5Gaining AccessTrivial !• Record one authentication exchange– from (n, n ⊕ RC4(k)), recover RC4(k)– Use it to encrypt all future authentication challenges• Remedy– Use different cipher for authentication• A block cipher would do“Hi, it’s me”nn ⊕ RC4(k)Jonathan Stanton19Spring 2004 / Lecture 5Analysis of a DébacleWhy